Should I make sure that I get all of the uids associated to my OpenPGP key signed, or is it enough to have one of them signed?

If Bob can guarantee that alice@example.com belongs to Alice, I can't see any security problem in assuming that Bob also guarantees alice@example.org to belong to Alice as well, if alice@example.com says so.

3 Answers
3

OpenPGP relies on a kind of Public Key Infrastructure known as Web of Trust. PKI is all about trust delegation: you gain confidence in the association between a given key and an identity through signatures which are verified with public keys you already trust. You "know" that Alice's public key is the one you see because Bob signed it, and you can verify it because you know Bob's public key; and you know Bob's public key because Charlie signed it.

Trust delegation does not scale well vertically. In the Alice/Bob/Charlie scenario, you know Charlie (you met him) and he gave you his public key, so you are quite sure that Charlie's key, as you know it, is correct. Thus you can verify the signature Charlie computed over Bob's key (that is, a signature over the pair "name=Bob,key=..."). So you can have confidence in that key being owned by Bob, but this requires Charlie to be honest and not too gullible. That might be a bit too much to ask; knowing Charlie's key does not automatically mean that whatever Charlie signs is Gospel. Yet you met Charlie (physically), so maybe you can trust him. For the third step, Bob signing Alice's key, you need even more from Charlie: indeed, you never met Bob. So, by trusting Bob's signature over Alice's key, you are actually betting on the idea that Bob is honest and not gullible; so you are relying on Charlie not only to be honest, but also to refuse to sign keys of other people who are not equally honest and not gullible. So Charlie has to be good at psychology and evaluating reliability of other people as well.

So, to sum up, the more certification steps there are, the looser the name/key binding is. There are two ways out of this:

In hierarchical PKI (like X.509), name/key binding (i.e. guaranteeing that a key really belongs to a given entity) and trust delegation are distinct; someone with the power to assert such bindings (a certificate authority) will accept to delegate that power only after making thorough investigations, and through a legally binding contract which lists responsibilities in full lawyer-compatible language. This makes certification trees acceptable, up to a depth of about three or four certificates.

In Web of Trust PKI, each "link" in a certification chain (a chain of signed keys, from a key you know to the key you want to use) is awarded a level of reliability, and you accumulate many chains until the accumulated reliability achieves a preset level. WoT PKI relies on mass effect: an active attacker may swindle one or two gullible users, but not the whole "community". The certification graph is supposed to be strongly overconnected.

Therefore, if Bob signs the key of alice@example.com, and alice@example.com signs the key of alice@example.org, then that's one extra step, hence one extra unreliability, which will have to be compensated by other chains -- chains which must end on alice@example.org without going through alice@example.com. From this, we conclude that you should get all your UID signed: this will make verification of your key easier.

There are two dimensions to trust in OpenPGP. There's the question of trusting that the key really belongs to the person in question, and then there's trusting the person to take care of their keys. If Alice is careless with her keys, then an attacker might get her to sign a key under his control, or he might be able to steal her private key. For paranoia's sake, I would recommend getting everything signed.